supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
A Defender's Template for Package Registry Incident Communications, Built from the 2025-2026 Response Postmortems
The npm Shai-Hulud, PyPI credential-leak, and tj-actions response postmortems published through 2025-2026 reveal a common communication shape. Here is the template, the timing, and the policy that turns the template into a fast response.
Netlify Build Plugins as arbitrary code execution at build time in 2026
The @netlify/plugin-* ecosystem runs in your build with full filesystem and network access. Here is how to evaluate, allowlist, and gate it in 2026.
Nonprofit software supply chain risk in 2026
Donor CRMs, grant management platforms, and what the 2020 Blackbaud ransomware incident still teaches the nonprofit sector about resource-constrained software supply chain reality.
A practical framework for assessing single-maintainer project risk
Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.
Squid proxy memory corruption CVEs: a supply chain perspective
Squid's recurring memory-corruption CVEs in 2024 and 2025 are a reminder that transparent egress proxies sit on a critical path and rarely get the SBOM scrutiny their position deserves.
npm Trusted Publishing walkthrough: retiring long-lived publish tokens
npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.
TanStack and the Mini Shai-Hulud npm Worm (May 2026): Anatomy of a CI-Native Supply Chain Attack
On 11-12 May 2026, the TeamPCP-linked Mini Shai-Hulud worm published 84 malicious artifacts across 42 TanStack npm packages in six minutes, then spread to 160+ packages by abusing GitHub Actions OIDC tokens and CI cache poisoning.
Vercel Edge Functions supply chain risks in 2026
Edge Functions, middleware, and Edge Config combine npm trust, build-step trust, and a secret surface that runs at every request. Here is the 2026 control set.
AgTech and food-tech software supply chain risk in 2026
Precision agriculture platforms, FSMA 204 traceability databases, and the John Deere right-to-repair debate as a software supply chain question rather than a property rights one.
Maintainer burnout is a supply-chain risk: lessons from xz-utils
The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.
DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026
BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.
npm provenance attestations walkthrough for 2026
npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.